From aa50dcff2ff9a4b641eff06e5d3276c1746f821d Mon Sep 17 00:00:00 2001
From: David Shaw <dshaw@jabberwocky.com>
Date: Sun, 10 Oct 2004 14:19:39 +0000
Subject: [PATCH] * keygen.c (do_add_key_flags): The spec says that all primary
 keys MUST be able to certify.  Force the certify flag on for primaries (and
 off for subkeys).

---
 g10/ChangeLog |  4 ++++
 g10/keygen.c  | 12 ++++++------
 2 files changed, 10 insertions(+), 6 deletions(-)

diff --git a/g10/ChangeLog b/g10/ChangeLog
index ab6de78e5..0153c29ce 100644
--- a/g10/ChangeLog
+++ b/g10/ChangeLog
@@ -1,5 +1,9 @@
 2004-10-10  David Shaw  <dshaw@jabberwocky.com>
 
+	* keygen.c (do_add_key_flags): The spec says that all primary keys
+	MUST be able to certify.  Force the certify flag on for primaries
+	(and off for subkeys).
+
 	* keygen.c (generate_keypair): Fix generating keys with the auth
 	flag.
 
diff --git a/g10/keygen.c b/g10/keygen.c
index 62ac28f1f..82ac11383 100644
--- a/g10/keygen.c
+++ b/g10/keygen.c
@@ -185,13 +185,13 @@ do_add_key_flags (PKT_signature *sig, unsigned int use)
         return;
 
     buf[0] = 0;
+
+    /* The spec says that all primary keys MUST be able to certify. */
+    if(sig->sig_class!=0x18)
+      buf[0] |= 0x01;
+
     if (use & PUBKEY_USAGE_SIG)
-      {
-	if(sig->sig_class==0x18)
-	  buf[0] |= 0x02; /* Don't set the certify flag for subkeys */
-	else
-	  buf[0] |= 0x01 | 0x02;
-      }
+      buf[0] |= 0x02;
     if (use & PUBKEY_USAGE_ENC)
         buf[0] |= 0x04 | 0x08;
     if (use & PUBKEY_USAGE_AUTH)